Security tools that limit user logon in Windows

Security expert Kevin Beaver describes the pros and cons of some free security tools -- and commercial ones -- for monitoring Windows network login activity. In addition, he outlines the steps for creating network security workarounds with a more homegrown feel. They are simple to manage, but groundbreaking they ain't.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

administrators:

Can you limit how many times a user can log on to the network?

Solutions to this type of problem have been around for a while. The problem is that not many people are aware of them.

For starters, you can use Microsoft's LimitLogin tool. This tool, which can be downloaded for free, snaps right into your Active Directory implementation. It runs on the Windows Server 2003 system on your network that owns the domain naming master fsmo role and supports Windows 2000 SP4+ clients. It extends the Active Directory schema and requires IIS for a back-end Web service component and client-side installation -- all of which some folks would frown upon. That said, it adds an extension to the Active Directory Users and Computers MMC and is relatively simple to manage.

The only downside I can see is that LimitLogin is not supported by Microsoft. However, once you work your way through the included help file (LimitLogin.chm) and get it installed and configured, you should find it to be a relatively low-maintenance application.

Outside of enforcing the number of concurrent logins, you can also use LimitLogin as a login auditing tool to see how and when users are logging into the network. It's not groundbreaking, but certainly a nicety if you can't justify spending good money on a commercial network audit logging system.

Last year, I came across a commercial alternative to LimitLogin (that's also well-liked by many Windows admins) called UserLock by IS Decisions. UserLock works in a similar fashion to LimitLogin but offers more enterprise features that you'd expect to find in a commercial product, like real-time alerting and reporting.

Finally, if you're on a limited budget and have time to tinker around with Windows, you could build your own homegrown solution. For example, you could create a Windows login script component that maps a drive to the user's home directory share. If it's unable to create the mapping, then error out and log off. On each user's home directory share, you would set the maximum number of connections to 1. When the user logs in once, all's well. However, doing so twice would generate a net use error level of 1. This error could be captured in the login script to redirect to the logoff command and exit.

You could also set the workstation that each user must use to log in to the network. In Active Directory Users and Computers, under User/Account/Log On To, you could set the specific workstation(s) the user is allowed to log on to. Unlike LimitLogin and UserLock it's a rather limited workaround, but it may be all you need.

These homegrown solutions should work fine for small networks, but they could easily turn into a real pain -- if not a liability -- in larger environments. I see it all too often -- where network admins thrive on their own custom applications to keep the network up and running. The problem is that these custom apps can be a single point of failure if something happens to the administrator and they don't play well in environments where separation of duties is needed. Plus, ongoing auditing, reporting and overall change management is much more difficult if not impossible.

With one of these login limiting techniques, you'll improve user accountability, network security and -- as a nice side benefit -- you'll be compliant with X policy or Y regulation all at the same time.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy